Thu Nov 23 16:34:03 EST 2017
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (
msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flags: A+;
classtype:bad-unknown; sid:1292; rev:1;)
is close to what I use for to help alert for 'vulnerable hosts' that
don't get also get to tftp a file.
pat = "<DIR>";
pat2 = "Directory of C";
is used in
Uses <DIR> because it was contant regardless of language settings
I'm in US and it hard to get another windows language version. What
are you seeing?
>> > btw. I'm security engineer at a large(?) ISP and snort has to analyse a
>> > continuous flow of 3Mbytes/s. So you can imagine that rules with too
>> > much false positives just aren't usefull to me.
>> What I do is mine out what I Don't want and only investigate a certain
>> subset. It's not really setup to be tied to my pager though :>
> Well I defined some "code-reds" that are going to be tied to my gsm. :-)
Yeah I have those too. The CNET is the one I was complaing about for a
false alarm :)
Summary for those playing along at home:
Add some outgoing rules for exploit du jour that would mark them
differently than things going to HOME_NET.
How to cycle through what is du jour aside from doing all the rules is
Of course, several places I've talked to run IDS in reverse to just
see what they are doing to the outside world but that seems a bit
wasteful since we are already running.
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-sigs